-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.28 Backports 2024-06-01 #786
Conversation
…external [ upstream commit 7358b64 ] Use the original source address if permitted even if the destination is external to the cluster. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
Date: 2024-05-31 16:38:45 +0200 [ upstream commit 1de461c ] Author: Jarno Rajahalme <jarno@isovalent.com> Date: 2024-05-31 16:32:26 +0200 bpf: Allow reopening a map close any possible existing map before opening a new one. This allows Open() to be called again to reopen the map. Store the path passed to open() for later re-try during lookup(), it the open failed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit 0c89a4a ] Move ipcache singleton management from bpf_metadata.cc to ipcache.cc so that the sigleton can be accessed without going through bpf_metadata. This avoids Bazel import cycle in following commits. Add a new static methods to ipcache to create and get the singleton. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
337be4f
to
421f938
Compare
Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small cleanup I'd like to see on the 4th commit.
Also will have to be careful to combine the related cilium/cilium
changes when bumping releases to this new image!
56d12b2
to
3d0efc0
Compare
[ upstream commit 669610f ] Make server factory context available by storing it in a member. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 02047ea ] Add GrpcMuxImpl wrapper class to get access to onStreamEstablished(), and implement isNewStream() that returns 'true' on the first call after a new stream has been established. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit c9e6d84 ] Reopen ipcache map each time after a new gRPC stream has been established for Network Policy Discovery Service. This is necessary to get access to the new IP Cache map Cilium Agent creates on restart. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit] This is to fix the below CVE. ``` ADVISORY SEVERITY PACKAGE CURRENT VERSION FIXED IN VERSION GHSA-4v7x-pqxf-cx7m Medium golang.org/x/net v0.21.0 0.23.0 GO-2024-2687 Unknown golang.org/x/net v0.21.0 0.23.0 ``` Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit d34c0d3] Patch original destination cluster to avoid multiple hosts for the same address. Connection pool containers use HostSharedPtr as map keys, rather than the address of the host. This leads to multiple connections when there are multiple Host instances for the same address. This is breaking use of the original source address and port for upstream connections since only one such connection can exist at any one time. Original destination cluster implementation creates such duplicate Host instances when two worker threads are racing to create a Host for the same destination at the same time. Fix this by keeping a separate 'updates_map' where each worker places a newly created Host for the original destination. This map is used to look for the Host is it can not be found from the shared read-only 'host_map'. Access to 'updates_map' is syncronized so that it can be safely shared by the worker threads. The main threads consolidates the updates from the 'updates_map' to a new instance of the shared, read-only hosts map, so that the workers do not need to stall for possibly large map updates. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
3d0efc0
to
f16f489
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks!
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Once this PR is merged, a GitHub action will update the labels of these PRs: